|
Sponsored Links
Resources
Enterprise Java
Research Library
Get Java white papers, product information, case studies and webcasts
|
News
News
News
|
Messages: 17
Messages: 17
Messages: 17
Printer friendly
Printer friendly
Printer friendly
Post reply
Post reply
Post reply
XML
XML
XML
|
 |
Open-Source Security Comes Under Fire
A recent research note from two analysts at the Aberdeen Group calls open-source software and Linux distributions the "2002 poster children for security problems." Of the 29 advisories issued through October by the CERT Coordination Center at Carnegie Mellon University in Pittsburgh, 16 of them addressed vulnerabilities in open-source or Linux products.
Read Open-Source Security Comes Under Fire.
"However, many security experts find fault with that argument. The fact is, they say, neither one is inherently more secure than the other; it all comes down to the skill with which the code is written and audited."
|
|
|
Message #66709
Post reply
Post reply
Post reply
Go to top
Go to top
Go to top
|
|
Open-Source Security Comes Under Fire
I'd also be interested in seeing a comparison on how quickly fixes to known bugs are issued. Phrased differently, which camp is more reliable in fixing security problems?
|
|
|
Message #66712
Post reply
Post reply
Post reply
Go to top
Go to top
Go to top
|
|
Open-Source Security Comes Under Fire
>>I'd also be interested in seeing a comparison on how quickly fixes to known bugs are issued. Phrased differently, which camp is more reliable in fixing security problems?
I would argue providing a quick fix for security problems is no solution. Even if so called 'camp' provides a fix, how often would a sys admin at any organization use the fix?
|
|
|
Message #66717
Post reply
Post reply
Post reply
Go to top
Go to top
Go to top
|
|
Open-Source Security Comes Under Fire
I also consider another aspect of security - how many people would want to break your security?
Given how a number of people hate MS, I would say that for every hacker/tool/etc. that is intended to break into Linux/Solars/AIX etc. there's 10 or more that are aimed at MS.
It's actually sometimes quite funny - for a hole in MS software, a tool that allows everyone with half a brain to wreak havoc is created almost immediately, while the same people have "moral barriers" to create a similar tool if say they find the newset hole in SendMail.
Regards,
Vlad
|
|
|
Message #66718
Post reply
Post reply
Post reply
Go to top
Go to top
Go to top
|
|
Open-Source Security Comes Under Fire
Since most of the Open source is not owned by a single RESPONSIBLE company, its bound to have problems like several users have several different versions, some have patches -some dont, some thing works on 1 version - the same thing doesnt on the other version. This is the downside of open source. and the article is stating just the same.
My 4 cents :)
|
|
|
Message #66719
Post reply
Post reply
Post reply
Go to top
Go to top
Go to top
|
|
Open-Source Security Comes Under Fire
What would be more telling is the number of product updates / security fixes. Of course a product would have less flaws if it takes 1 year to update.
|
|
|
Message #66724
Post reply
Post reply
Post reply
Go to top
Go to top
Go to top
|
|
Open-Source Security Comes Under Fire
This seems like a flawed comparison to me, I mean I don't really care, not really siding iwth either camp, but it seems like by the sheer number of open source products, I mean how many flavors of Linux are out there, not to mention the number of desktops, there must be 100,000 projects on sourceforge. With taht number of programs you are bound to find 16 security flaws. Microsoft doesn't even have 1/10th of the apps open source does. Yet they have 1/3 the errors. How is this a good comparison? how about vulnerabilities/app ratio? Whats that?
|
|
|
Message #66729
Post reply
Post reply
Post reply
Go to top
Go to top
Go to top
|
|
Open-Source Security Comes Under Fire
You have to compare it in terms of how complex the softwared is. There are lots of open source projects out there, but do they compare in terms complexity to that of ms.So it is simply not an inssue of ratio but one of complexity. Ms builds complex sotware.
|
|
|
Message #66734
Post reply
Post reply
Post reply
Go to top
Go to top
Go to top
|
|
Open-Source Security Comes Under Fire - Its Obvious
I agree to some extent. And if you READ the article fine, its not comparing MS vs. any other o/s , its just saying MS has these many holes, linux has these many holes. Its not taking any side.
And how much ever we like open source, we got to accept it that untill there is one "STANDARD BASE" in the Open source, we will always have issues like compatibility, version mismatch, security holes. Practically every open source user can have his/her own version.
With MS, it owns everything of WINDOWS, and we can go to their site to look for any patches. With linux, first thing i do is to go on google, linux forums etc ..There is no single place to find answer to a problem. Open source has to live with it.
And one more point, I would agree to a large extent is that MS is still used a hell lottt more than any other OS. So its obvious that it will be tested a lot more than any other OS and naturally people will find more problems in MS. Linux hasnt come to that level of usuage yet. Once it is , we may find many more problems in Linux than we see now.
I guess what we need is a "STANDARD OPEN SOURCE".
|
|
|
Message #66738
Post reply
Post reply
Post reply
Go to top
Go to top
Go to top
|
|
Open-Source Security Comes Under Fire
Aberdeen Group is no different than other for-profit "research groups". Their findings are, not surprisingly, often reflective of what they were paid to find.
Coincidentally, about the time of the publication of this new Aberdeen report, pages like this one ("Last Updated: November 13, 2002") have removed the references to Aberdeen reports written for Microsoft. Of course, you can still find them in Google's cache:
"ISA Server: A Versatile "Swiss Army Knife" Security Solution. See why the Aberdeen Group finds ISA Server to be a flexible security solution in this report comparing the active electronic infrastructure management features of various enterprise firewalls. Register to obtain a copy at no charge.... (Last Updated: September 04, 2002)"
As anyone who has worked in PR for a software company knows, the ideas for these "research notes" typically come from the company that the research note would help, and they typically come with a payment. That is not always true, and I have no facts that would lead me to believe that the same is true in this case, however I highly doubt that Aberdeen could have switched to being an objective non-profit without the rest of us finding out.
On the subject of security, Microsoft has done a good job patching security holes in its product. Say what you will about the huge number of holes found (not surprising for such a huge amount of software built around a desktop ease-of-use model), it still has a very long ways to go before reaching parity with "boring" server products like Unix and Linux, which have relatively little complexity for hiding holes in. (Unix, anyway. Linux is trying to gain install-size parity with Windows ;-)
There have been a few major vulnerabilities reported this last year that have applied to several of the Unix servers and Linux, and those are pretty disturbing. At least one made it possible for root access to a server to be gained. So while the report may have been paid for by Microsoft, that doesn't make even one Unix or Linux vulnerability acceptable. Similarly, we should continue to demand higher levels of security quality from Microsoft, and applaud their efforts when they do deliver. Even if Windows is not fully accepted today in the datacenter, it may very well be in several years time, and wishing for Microsoft products to be buggy and easily compromisable won't help anyone (but their competitors) in the end.
Peace,
Cameron Purdy
Tangosol, Inc.
Coherence: Easily share live data across a cluster!
|
|
|
Message #66740
Post reply
Post reply
Post reply
Go to top
Go to top
Go to top
|
|
liars, cheats , parasites and analysts
It surprises me that we still take reports from these so-called-analyst firms seriously. What makes these firms analysts ? Their analysis is nothing more than a subjective interpretation based on insufficient expertise and always greased by big corporations with an agenda to sell.
We have standards to rate the the analyst firms on the wall street. (WSJ does an annual rating of all analyst firms)Why don't we have the same for these firms? Without quantitative benchmarks, these guys are just expensive and exclusive PR firms and nothing more.
Open source does not just threaten Microsoft; it also threatens the bread-and-butter of these parasites. The cost of making a wrong product choice when going with open source is less -- you dont need to buy the software and pay a dozen consultants to find out if the product will work for you; in most cases administrators working( with overtime pay hopefully ) can make that call easily , thereby mitigating the need to buy a expensive analyst report. No wonder these analysts are working hard to kill open source initiatives.
Try finding the analysts postion on open source softwares such as Jboss, Sendmail , PostGre or SAPDB ? You wont cause none of these groups have any reason to fund such a study. So naturally, they push the most expensive products for each class on the gullible CIOs.
This is not to say the there may not be security vulnerabilities with open source software. But this report clearly is an attempt to secure their livelihood than disseminate any meaningful information.
Just my $.02
|
|
|
Message #66742
Post reply
Post reply
Post reply
Go to top
Go to top
Go to top
|
|
Open-Source Security Comes Under Fire
The article ignores a few important facts:
- The "security vulnerability count" for open source includes vulnerabilities that also effect closed-source software.
- Some advisories cover multiple vulnerabilities, but are ranked as one.
- Some advisories simply cover the fact that an older vulnerability is now commonly being exploited.
- Some advisories are entirely unrelated to security flaws, but instead take note of the fact that a particular distribution resource (FTP server) was cracked and trojaned copies are circulating.
- Advisory count contains no information as to the severity of a vulnerability: a remote root exploit is typically worse than a privilege elevation, which is worse than a denial of service attack, etc.
- There is no single Linux vendor which suffered all of the open-source vulnerabilities.
Regardless of whose security you believe to be superior, this article does nothing to substantiate its claim that "open-source software has taken over Microsoft Corp.'s position at the bottom of the security heap." If one desires to analyze security purely from a "vulnerability count" perspective, they should do so by comparing multiple products in specific configurations.
While were on the subject of "vulnerability count" security analysis, anybody remember this gem: :)
http://abcnews.go.com/sections/tech/FredMoody/moody000802.html
|
|
|
Message #66743
Post reply
Post reply
Post reply
Go to top
Go to top
Go to top
|
|
Open-Source Security Comes Under Fire
My question is when are we going to find out that MS funded this study?
|
|
|
Message #66758
Post reply
Post reply
Post reply
Go to top
Go to top
Go to top
|
|
Open-Source Security Comes Under Fire
This is such a stupid argument. I mean, if you analyze anything - and I mean anything - you make it come under fire. It's just how big the flame is. In this case, the flame is fairly small. I don't see why the article has make it appear to be much worse than it is compared to competiting environments.
|
|
|
Message #66764
Post reply
Post reply
Post reply
Go to top
Go to top
Go to top
|
|
Open-Source Security Comes Under Fire
I think we can mostly conclude that open source is
starting to get more popular.
:-)
If more white hats start using open source systems,
then more black hats will start attacking them.
It would be stupid to assume that open source software
does not have security problems. Ofcourse it has. Not
all programmers are equally good. And I doubt that many
are actually reviewing the code.
But you can still argue that there are no reason to
pay XXXX $ for getting commercial software that has
as many bugs as the free alternatives.
|
|
|
Message #66765
Post reply
Post reply
Post reply
Go to top
Go to top
Go to top
|
|
What This Report Ignores
This report ignores the primary security advantage of Linux (and Unix) over Windows, which is that a production system can be "hardened" by disabling the various vulnerable services. This just isn't possible with Windows, due to lack of information about what the multitude of processes do and how they inter-relate.
The article does mention that the CERT statistics tend to "focus on the high-risk issues that are likely to affect a broad base of users". However, I'm much more concerned about the security of my production environment than anything else. Although, obviously a security breach on any system is costly.
|
|
|
Message #66795
Post reply
Post reply
Post reply
Go to top
Go to top
Go to top
|
|
Open-Source Security Comes Under Fire - Its Obvious
<quote>
With linux, first thing i do is to go on google, linux forums etc ..There is no single place to find answer to a problem. Open source has to live with it.
</quote>
This is completely wrong if you're using a distribution like SuSE Linux. Security issues are solved much faster compared to Microsoft and there's a single access point and installation is more safe and convenient.
|
|
|
Message #66809
Post reply
Post reply
Post reply
Go to top
Go to top
Go to top
|
|
Open-Source Security Comes Under Fire - Its Obvious
Thanks for the info. I had different experience with Suse.
In anycase Suse linux is not the only linux we use .. rather its just one part of open source universe and my view wasnt pointing to one particular flavor of unix or linux, i m talking abt non MS O/S in general and other oepn source systems in general.
|
|
|
| New content on TheServerSide.comNew content on TheServerSide.comNew content on TheServerSide.com |
|
|
Reza Rahman explores the features of the proposed JSR 299, Contexts and Dependency Injection for Java EE (CDI). When approved, it promises to be a key feature of Java EE 6.
(November 2, Article)
SAML is an XML-based standard for exchanging authentication and authorization data between security domains. The single most important problem that SAML was created to solve is the Web browser Single Sign-On problem. Many organizations are debating whether to stay with version 1.1 or move to 2.0. This article makes observations about both options.
(September 28, Article)
Joe Ottinger takes a look at how people learn, and applies it to the practice of programming. He notes that understanding how people learn is an essential part of working in a programming team.
(September 22, Article)
Stephen Maryka gave us an article about the Asynchronous Web and posed a number of questions that get examined like an approach to delivering Asynchronous Web capabilities through extensions to existing Java EE technologies.
(July 14, Article)
JavaServer Faces Flex goal is to provide users capability in creating standard Flex components, part of flexSDK which is open sourced through MPL license, as normal JSF components. This article by Ji Hoon Kim will provide an overview of creating a simple multilingual JSF page consisting of JSF Flex tags.
(June 29, Article)
In this session Jeff explores the key characteristics of successful SOA projects. He covers some of the patterns, and anti-patterns, tool sets, and strategies that he himself learned the hard way. Last, he provides a strategy and blueprint for achieving a high likelihood of success in your SOA project.
(June 23, Tech Talk)
Ari Zilka, CTO of Terracotta, Inc., talks about the new features in Terracotta 3.1, announced during JavaOne and available now.
(June 15, Tech Talk)
In this Tech Talk, Josh Long explores an integration challenge using Spring Integration and walks through the implementation, employing and expanding on the basic patterns of Enterprise Application Integration to tie together components into a function integration solution, and then demonstrates how Spring Integration helps address the integration requirements.
(June 15, Tech Talk)
In this Tech Talk, David Geary teaches you: The basics of Google Web Toolkit; How to implement Ajax-enabled applications in Java; Internationalization; Hooking into the browser history mechanism; Remote procedure calls.
(June 4, Tech Talk)
Jon Kern discusses the best architecture/technical solutions and ensure that they are repeated by all developers. By tackling the architecture up-front in a serial manner, subsequent parallel development will be much more manageable and predictable.
(May 28, Tech Talk)
This keynote describes the frustrations of modern knowledge workers in their quest to actually get some work done, and solutions for how to guard yourself against all those distractions. Neal Ford talks about environments, coding, acceleration, automation, and avoiding repetition as ways to defeat the misguided attempts to sap your ability to produce good work.
(May 26, Tech Talk)
Gil demonstrates how new, aggressive uses of already abundant compute capacity by common applications offer competitive value for application designers.
(May 21, Tech Talk)
Chris Keene introduces WaveMaker as a new way to automate the ability to generate Hibernate classes in order to more quickly bring OR mapping into an application.
(May 19, Article)
In this session Nati Shalom demonstrates how to take a standard Java EE web application and scale it out or down dynamically without changes to the application code. Seeing as most web applications are over-provisioned to meet infrequent peak loads, this is a dramatic change because it enables growing your application as needed, when needed, without paying for unutilized resources.
(May 19, Tech Talk)
Mastering EJB was one of the original and most influential EJB books in the industry. Mastering EJB III now returns with two new expert co-authors, updated for EJB 2.1 and 30% new chapters including security, integration, best practices, open source, and more.
(Book PDF Download)
The Application Server Matrix is a detailed listing of J2EE vendors and their application server products, with information on latest version numbers, J2EE spec support and licensing, pricing, platform support, and links to product downloads and reviews.
(Application Server Comparison Matrix)
|
|
